DuoCircle

How can we help you today?

DomainKeys Identified Mail (DKIM)

Modified on: Wed, 13 Feb, 2019 at 7:11 PM

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain. It is intended to prevent forged sender addresses in emails, a technique often used in phishing and email spam. Read more.

Configuring DKIM for a sending domain

To begin signing your outbound email messages with DKIM open the "Sender Domains & DKIM" configuration page for your service, found under your account in the DuoCircle client area. DKIM signing is performed on a per-domain basis, so you must list on this page all domains which will send mail through your Outbound SMTP relay service. Once you have populated this list you may enable DKIM for specific domains by clicking the red "NO" button in the row of each domain.

This action will enable DKIM signing for that domain and also generate a new DKIM key if no previous key is already known to the system. The red "NO" button will turn to a green "YES" on success, and you will now see two options under the "DKIM tools" heading:

Click the magnifying glass button (left) will display the DKIM settings for this domain. To complete the process of configuring DKIM signing you will need to create a TXT record matching the provided values with your domain's DNS provider. We immediately begin DKIM-signing your outbound mail from this domain, however recipients will not be able to verify the signature until this TXT record has been added and propagated through the DNS system.

If at any time you wish us to stop signing your outbound mail for a specific sending domain you may click the green "YES" button. The button will switch back to red "NO" as confirmation that DKIM signing has been deactivated. Your DKIM key will remain intact should you wish to return at another time to activate DKIM signing again.

Rotating your DKIM Key

The process of changing the DKIM keys used to sign your outbound mail is called "key rotation". In this process we generate a new selector and key for your sending domain and provide you with its DNS record values but we do not yet begin signing new mail with this key. Before that can happen you must add the TXT record for this new key to your domain's zone and wait for it to propagate through the DNS system. Once fully propagated you then return to the "Sender Domains & DKIM" page for your service and complete the rotation process.

NOTE: When a DNS record for a DKIM key is removed the recipient mail servers will no longer be able to verify messages signed with that key. Do not remove the DNS record for your currently-active DKIM key until you have confirmed that all new outgoing messages are being signed with your new key and all queued messages signed with your current key have been delivered to their destinations.

To rotate the DKIM key for one of your sending domains you may do so by clicking the red "refresh" button for the domain found under the "DKIM tools" heading. If you have not previously started a key rotation you will see a popup with instructions on how to begin:

Clicking the "New Key" button will generate a new rotation key for your service, and the resulting popup will provide you with the necessary details to configure the DNS records for this new key.

The next step is for you to create a TXT record matching the provided values with your domain's DNS provider. You may close this popup in the interim. If you need to see these key details again returning to the "Sender Domains & DKIM" for your service and clicking the red "refresh" button for the domain found under the "DKIM tools" heading will re-open this popup.

NOTE: Do not remove the DNS record for your currently-active DKIM key yet. Any outbound messages signed with your active key that are still queued for delivery will not be verifiable by the recipient mail server if you remove the DNS record for your currently-active DKIM key.

Once the DNS record for your new DKIM key has been added and fully propagated through the DNS system you are ready to rotate your key. To do this, return to the "Sender Domains & DKIM" for your service and click the red "refresh" button for the domain found under the "DKIM tools" heading. The above popup window ("Rotate DKIM key for <domain>") will reopen. Clicking the red "Rotate Now" button will replace your current DKIM key with the new key and our systems will immediately being signing your outgoing messages with the new key.

After a suitable period of time you may remove the DNS records for your previous DKIM key. It is recommended to keep both DNS records (new key and old key) active until you are certain that all outbound messages signed with your old key have been delivered to their destinations.

Restarting the key rotation process

If for any reason you wish to not use the rotation key we've previously generated for you, you may request a new one. To do this, return to the "Sender Domains & DKIM" for your service and click the red "refresh" button for the domain found under the "DKIM tools" heading. The above popup window ("Rotate DKIM key for <domain>") will reopen. Clicking the green "New Key" button will erase any existing rotation key for the sending domain and generate a new one in its place.